It’s all about aligning “the right information with the right people at the right time,” said HIMSS Executive Vice President Carla Smith in her closing message to attendees of the HIMSS14 Annual Conference & Exhibition. The meeting assembled some 38,000 healthcare professionals and 1,200 exhibitors in Orlando for a week focused on patient safety, care quality, access, affordability, privacy, and security.

At HIMSS14 we were educated on the savings from the financial and business end of healthcare, prevention and patient education, electronic information and data sharing, treatment efficiency while providing quality care and safety, and lastly improving the satisfaction of patients, providers, and staff.

In one educational session, a case study was presented from a large, multi-location Federally Qualified Health Center (FWHCs) where minors and adults were treated for STDs. The organization had a Business Associate Agreement (BAA) in place with the grant funder and data collector. However, computers were stolen from the grant-funding organization but it was never determined if patient data was accessed. It is important to note that once again stolen computers were not encrypted, as we’ve seen before a risk analysis was not performed, and a contingency plan for notification was not in place. The key findings can almost be copied from several previous breach events.

I remember thinking about what Chris Heuman, the Practice Leader of RISC Management and Consulting tells our clients “Know why, what and how; meaning understand why you need to protect information, such as regulations, what is required to protect that information, and how to implement and manage those protections.” It is very important to recognize where the HIPAA Privacy and Security Rule and the HITECH Act play a role in safeguarding the confidentiality, integrity, and accessibility of the patient’s protected health information. RISC worked to express that taking care of a patient’s health includes ensuring the privacy and security of their health, personal, and financial information as well. The last thing an individual needs to endure when recovering from or managing a condition is identity theft.

The breach referenced above serves to remind the industry that even the basics have not been addressed across the continuum. Foundational security program elements are still being ignored or abbreviated. It is important to have policies and supporting procedures in place to state the intent of the organization to prevent costly data breaches. Priorities should be approved by management, and strategies put in place to implement industry best practice, and to consult with resources that are subject matter experts in compliance. Begin always by performing a risk analysis and providing workforce training.

Say what you are going to do, and do what you said you were going to do

Know the role of the Privacy and Security Officers and how they differ

Complete a comprehensive Risk Analysis

Have a data breach notification policy, develop and test a procedure, and ensure members of the response team are trained

Train all members of your workforce, consistently and constantly

The best part of the last day of HIMSS14 was the Keynote Speaker Erik Weihenmayer. Weihenmayer is a World Class Blind Adventurer. He is the embodiment of overcoming adversity and leads an exhilarating and fulfilling life. He was the first and only blind person who made it to the top of Mount Everest in 2008. In this is a lesson for all of us; with the right drive and desire, training, preparation, and follow through, we can accomplish what we set out to do regardless of perceived obstacles.

A Smartphone is a device that enables you to make a phone call and has many differing types of added capabilities similar to a computer. Emails, playing games, taking photographs, alarm clock, and editing documents are just a few examples that a smartphone is capable of. Smartphones come in many flavors from a multitude of manufacturers, so the term is used here generally to describe a communications device with some traditional computing capabilities.

We all use our smartphones to learn about other people, places, or businesses, but have you ever thought about what your smartphone is revealing about you? As I enjoyed adding new apps in my brand new smartphone, I was asked for permission by the application prior to installing. Like many people, I was fine until I saw that the application required full network access. The browser and other applications needed to send data to the internet. It wanted permission to read phone status and identity by accessing the device ID, etc. In addition, it wanted to read personal information about me by reading my web bookmarks and history. This application, and the unknown company behind it, will know all the URLs that my browser has visited, and all of the browser’s bookmarks. It can even see my Wi-Fi connection and use developmental tools testing in my phone.

Background

In the past, personal digital assistants or PDAs were used as portable organizers to store your contact information, to do list, and has the ability to sync with your desk top computer. Cell phones were only used for making telephone calls. Pagers are wireless telecommunications devices for receiving and displaying numeric or text messages only. With the popularity of smartphones, pagers and PDAs became less popular. Now, it makes more sense to carry an android phone because of its versatility and usefulness. Pagers enjoyed their popularity in the 90s both in healthcare and in illegal drug sales as made popular by the HBO series The Wire. Healthcare, being focused on stability and guaranteed communications, stuck with pagers longer than most industries.

Reasons for buying smartphones include pricing, battery life, camera features (no endorsement implied), limited computing power, social networking support, and the list goes on. Another reason is popularity and ease of use. The Apple iPhone has been incredibly popular because of their charismatic look, high performance score, and image quality of 100% according to the Top Ten Reviews (2014) of the Apple iPhone 5s. However the price of $649.00 is hefty compared to Samsung’s Galaxy S of $199.99. Samsung is known for their gizmos, gadgets, and fun software such as the drama mode for moving pictures. The Top Ten Reviews (2014) for the Galaxy is only at 80% compared to the 100% of the iPhone’s image quality.

But who is snooping for your information?

Popularity aside, we should be asking ourselves how smartphones are being targeted or attacked. Criminals, advertisers, commercial organizations, and the government are the four big categories that come easily to mind. Criminals can install surveillance spyware to record your activities and upload the information to a web-based account. Some spyware can even enable your phone’s microphone and camera to listen and record your location.

An article written way back in 2010 said it perfectly “Thanks to the Bush administration and one Will Smith movie, we all have a fairly justifiable fear of government surveillance” (Hill, 2010). They are referring to modern technology and the hi-tech gadgets. Geofencing is being used by business where a GPS enabled cell phone has a software enabling managers to know where their employees are located through an email alert. Employees are provided with a work cell phone for clocking in and out, recording their breaks, etc.

Just being aware of your actions and existing federal laws is a great start. Read up on the Electronic Communications Privacy Act (ECPA) enacted in 1986 ECPA (18 U.S.C. §§ 2510-22) includes the Wiretap Act, Stored Communications Act, and the Pen Register Act. It can apply to both law enforcement agencies and companies.

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.

Recently the University of Maryland was the victim of a sophisticated computer security attack, or hacking incident, that involved the breach of a significant database at the University. This breach may have exposed the records of over 309,000 faculty members, staff members, students, and other affiliated personnel from some of the University’s campuses.

Once again, similar to far too many other data breach events, the breached information included Social Security Numbers, or SSNs. While the University is offering free credit monitoring to those affected, anyone who has endured an identity theft incident knows that the inconvenience is far more extensive than twenty dollars and one year of credit monitoring.

While it may take the incident forensic specialists, and their recently doubled IT Security Staff (self-claimed), some time to determine the root cause, the actual and total information breached, and whether procedural or technical reasons permitted the breach to happen, the incident as a whole serves to remind us that we all must be continually diligent.

Continued diligence involves assessing your own organization, and your data security controls in an authorized and controlled manner. Unauthorized parties are assessing your security controls on a constant basis. The benefit to performing your own assessment, such as a Technical Vulnerability Assessment, is that you are privy to the results. When a “hacker” assesses your controls the only results you may receive, or maybe not, is success or failure of their efforts.

There’s nothing like being able to participate and listen to live simulcast of keynotes and education sessions. I enjoyed the education sessions last year as much as hearing the keynote speaker, however if time is of the essence the virtual world is the answer.

If short in time, I recommend the Securing Patient Data in a Mobilized World: http://www.himssconference.org/Education/EventDetail.aspx?ItemNumber=24814&MetaDataID=2714&navItemNumber=22925

To get us started, RISC Management and Consulting, is hosting a Five Part Practical Security Series. RISC will describe common scenarios and solutions we have experienced across a large segment of organizations.

Nursing friends, hope you find time from your busy schedule to meet me in sunny Florida for the HIMSS14 Annual Conference. It is only 4 days away! I am very excited about the nursing informatics community: HIMSS14 Nursing Informatics Symposium on the 22nd and the 23rd of February.I will not make the Reception because of an awesome RISC Premier Soccer Club game, but you might see me in the virtual HIMSS world taking some CEUs.